Skip to content

Commit fd9f45a

Browse files
Support TLS for RGW
With this patch, during cifmw ceph deployment, rgw deployment includes the TLS certificate if it is passed.
1 parent e2803ac commit fd9f45a

File tree

5 files changed

+34
-9
lines changed

5 files changed

+34
-9
lines changed

playbooks/ceph.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -253,6 +253,9 @@
253253
tasks_from: monitoring
254254
vars:
255255
cifmw_cephadm_monitoring_network: "{{ lookup('ansible.builtin.ini', 'public_network section=global file=' ~ cifmw_cephadm_bootstrap_conf) }}"
256+
cifmw_cephadm_dashboard_crt: "{{ cifmw_cephadm_certificate }}"
257+
cifmw_cephadm_dashboard_key: "{{ cifmw_cephadm_key }}"
258+
256259

257260
- name: Create cephfs volume
258261
ansible.builtin.import_role:

roles/cifmw_cephadm/README.md

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -57,15 +57,15 @@ need to be changed for a typical EDPM deployment.
5757
`cifmw_cephadm_certs`: The path on the ceph host where TLS/SSL certificates
5858
are located. It points to '/etc/pki/tls'
5959

60-
* `cifmw_cephadm_dashboard_crt`: The SSL/TLS certificate signed by CA which is
61-
an optional parameter. If it is provided, ceph dashboard will be configured
62-
for SSL automatically. Certificate should be made available in
60+
* `cifmw_cephadm_certificate`: The SSL/TLS certificate signed by CA which is
61+
an optional parameter. If it is provided, ceph dashboard and rgw will be
62+
configured for SSL automatically. Certificate should be made available in
6363
`cifmw_cephadm_certs` path only. To enable SSL for dashboard, both
64-
`cifmw_cephadm_dashboard_crt` and `cifmw_cephadm_dashboard_key` are needed.
64+
`cifmw_cephadm_certificate` and `cifmw_cephadm_key` are needed.
6565

66-
* `cifmw_cephadm_dashboard_key`: The SSL/TLS certificate key which is an
67-
optional parameter. If it is provided, ceph dashboard will be configured
68-
for SSL automatically.
66+
* `cifmw_cephadm_key`: The SSL/TLS certificate key which is an
67+
optional parameter. If it is provided, ceph dashboard and rgw will be
68+
configured for SSL automatically.
6969

7070
* `cifmw_cephadm_monitoring_network`: the Ceph `public_network` where the
7171
dashboard monitoring stack instances should be bound. The network range

roles/cifmw_cephadm/defaults/main.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -90,8 +90,8 @@ cifmw_ceph_rgw_config:
9090
cifmw_cephadm_cephfs_name: "cephfs"
9191
cifmw_cephadm_ceph_spec_fqdn: "{{ ceph_spec_fqdn | default(false) | bool }}"
9292
cifmw_ceph_dashboard_spec_path: /tmp/ceph_dashboard.yml
93-
cifmw_cephadm_dashboard_crt: ""
94-
cifmw_cephadm_dashboard_key: ""
93+
cifmw_cephadm_certificate: ""
94+
cifmw_cephadm_key: ""
9595
cifmw_cephadm_dashboard_port: 8444
9696
cifmw_cephadm_grafana_admin_user: 'admin'
9797
cifmw_cephadm_grafana_admin_password: '/home/grafana_password.yml'

roles/cifmw_cephadm/tasks/rgw.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,19 @@
2929
_hosts: "{{ _hosts|default([]) + [ hostvars[item][ceph_hostname_var] ] }}"
3030
loop: "{{ groups['edpm'] }}"
3131

32+
- name: Get and save TLS certificate for rgw spec if provided
33+
when: cifmw_cephadm_certificate | length > 0 and
34+
cifmw_cephadm_key | length > 0
35+
block:
36+
- name: Get the certificate content
37+
register: slurp_cert
38+
ansible.builtin.slurp:
39+
src: "{{ cifmw_cephadm_certificate }}"
40+
41+
- name: Set rgw_frontend_cert for rgw spec
42+
ansible.builtin.set_fact:
43+
rgw_frontend_cert: "{{ slurp_cert['content'] | b64decode }}"
44+
3245
- name: Create a Ceph RGW spec
3346
ansible.builtin.template:
3447
src: templates/ceph_rgw.yml.j2

roles/cifmw_cephadm/templates/ceph_rgw.yml.j2

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,11 @@ spec:
1313
rgw_frontend_port: 8082
1414
rgw_realm: default
1515
rgw_zone: default
16+
{% if rgw_frontend_cert is defined %}
17+
ssl: true
18+
rgw_frontend_ssl_certificate: |
19+
{{ rgw_frontend_cert | indent( width=4 ) }}
20+
{% endif %}
1621
---
1722
service_type: ingress
1823
service_id: rgw.default
@@ -26,3 +31,7 @@ spec:
2631
virtual_ip: {{ cifmw_cephadm_rgw_vip }}
2732
virtual_interface_networks:
2833
- {{ cifmw_cephadm_rgw_network }}
34+
{% if rgw_frontend_cert is defined %}
35+
ssl_cert: |
36+
{{ rgw_frontend_cert | indent( width=4 ) }}
37+
{% endif %}

0 commit comments

Comments
 (0)